Verified Attribute Schema
Issue/Topic: Verified Attributes
Monday – Session 4 - F
Conference: IIW10 May 17-19, 2009 this is the complete Complete Set of Notes
Convener: Kick Willemse
Notes-taker(s): Chris Obdam
A. Tags for the session - technology discussed/ideas considered:
Attribute validation, AX 1.0 (1.1), Defining standard methods/levels of attribute verification, leaving the identity validation to the RP’s. OIX.
• AX - OpenID Attribute Exchange Validate Mode - draft van Google van 24 nov 2009 - http://step2.googlecode.com/svn/spec/attribute_exchange_validate/trunk/openid-attribute-exchange-validate-mode.html
B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Methods of Validation
1. Self Assertion
2. Proof of possession
- a. Challenge Response Token
- i. Email
- ii. Bank Account
- iii. Mobile (SMS)
- iv. Postal Address
3. Authentic Register
4. Official Statement
- a. Face-to-Face
- b. Passport
- c. Claim
Can an attribute also be validated by a organization that did not issue the information e.g. can Stanford confirm that I am a Berkeley student?
There is need for 2 things:
1. An addition to AX for the validation information: validator, validation date and validation method/level.
2. A way to check if the validation method is executed in the right way (OIX?)
How do you handle the liability for the correctness of the information?
Follow Up Questions:
- Will AX 1.1 support attribute verification ?
- What Attribute schemes will be used?
- X500
- HCARD
- Soap/XML
- AX-Sreg
- Other?
- What are suitable attribute verification methods?
- Open Identity Exchange OIX <> Open Attribute Exchange?